Sheet1

NISPOM Chapter 8 Check List

Based on NISPOM Chapter 8 Requirements.
Check List Compiled By: Darren Bennett (dbennett@cyberintel.com and Joe Keegan (joe_jjk3@hotmail.com ) )

Assessor Name:
Reference Checklist Objective and Security Test Standard Sub-Section Confirmation Question

Assessment Date:
Results Findings Compliance Y/N

Section1.ResponsibilitiesandDuties
1.100. 1.101a 8.100. 8.101a General Responsibilities For CSA Responsibilities For CSA Responsibilities For CSA Responsibilities For CSA Establishment of a line of authority for training, oversight, program review, certification, and accreditation of IS used by contractors for the processing of classified information The CSA conducted a risk management evaluation based on the contractors facility, the classification, and sensitivity of the information processed An IS Security Policy addressing the classified processing environment has been published and promulgated An IS Security Manager (ISSM) has been appointed with oversight responsibility for the development, implementation, and evaluation of the facility's IS security program Contractor management is certain that the ISSM is trained to a level commensurate with the complexity of the facility's IS The CSA has been Designated Accrediting/Approving authority (DAA) The ISSM has read and understands the responsibilities as per Section 8.103 of the NISPOM chapter 8 The ISSO(s) has/have read and understand the responsibilities as per Section 8.104 of the NISPOM chapter 8 Privileged and general users of the IS have read and understand the responsibilities as per Section 8.105 of the NISPOM chapter 8

1.101a2 1.101b 1.101b2

8.101a-2 8.101b 8.101b2

1.101b3 1.102.

8.101b3 8.102. Designated Accrediting/ Approval Authority IS Security Manager (ISSM) Responsibilities Information System Security Officer(s) (ISSO) Users of IS

1.103. 1.104.

8.103. 8.104.

1.105.

8.105.

Section2.CertificationandAccreditation
2.100. 2.101. 2.102. 8.200. 8.201. 8.202. Overview Certification Process Accreditation

Section3.CommonRequirements
3.100. 3.101. 3.101a. 8.300. 8.301. 8.301a. Introduction Clearing and Sanitization Clearing

3.101b.

8.301b.

Sanitization

Prior to re-use of media in an area that has an acceptable level of protection for the data, has all data on the media been eradicated? Including Memory, Buffers and reusable memory To prevent access to previously stored information. Prior to release of media to an area that does not have an acceptable level of protection for the data, has all data on the media been removed? (i.e. Release from classified information controls or release to a lower classification level)

3.102. 3.102a.

8.302. 8.302a.

Examination of Hardware and Software IS Software

3.102b.

8.302b.

IS Hardware

Has all commercially procured software been tested to ensure the software contains no obvious features that might be detrimental to the security of the IS? Has Security-related software been tested to verify that the security features function as specified? Has the hardware been examined to determine that it is in good working order and has no elements that might be detrimental to the secure operation of the IS when under facility control and cognizance? (Changes and developments that affect security may require re-examination)

3.103.

8.303.

Identification and Authentication Page 1

Sheet1 3.103a. 3.103b. 8.303a. 8.303b. Management Unique Identification Authentication at Login Applicability of Logon Authentication Is each user uniquely identified and is that identity associated with all auditable actions taken by that individual? Is each user required to authenticate their identity at login by using an authenticator (i.e. password) as well as their user id before executing any application or utility on the system? Is it possible to waive the requirement for Logon Authentication (are all of the following statements true?) *The workstation does not have a permanent internal hard drive, and the removable hard drive and other associated storage media are stored in an approved security container when not in use *All of the users with access to the workstation and the security container/ removable media have the required clearance level and need-to-know for all of the data processed on the workstation *The workstation is located within an approved security area, and all uncleared/lower-cleared personnel are escorted within the area. Access to Has access to authentication data been restricted to Authentication authorized personnel through the use of encryption or Data file access controls, or both? User ID Reuse Have all previous access authorizations (including file accesses for that user ID) been removed prior to reuse of any user ID's? (If applicable) User ID Removal Have users that have terminated employment, lost access to the system for cause, or no longer have reason to access the IS had their user ID and its authentication disabled or removed from the system? User ID User IDs are revalidated annually (or more frequently) Revalidation Protection of Authenticators in the form of knowledge Individual (password) or possession (smart card, keys) are not Authenticator shared with anyone. Protection of Are all of the following requirements met when using Individual passwords as authenticators? Passwords (1) Passwords shall be protected at a level commensurate with the sensitivity level or classification level and classification category of the information to which they allow access. (2) Passwords shall contain a minimum of eight non-blank characters, shall be valid for no longer than 12 months and changed when compromised. (3) Passwords shall be generated by a method approved by the CSA. Password acceptability shall be based on the method of generation, the length of the password, password structure, and the size of the password space. The password generation method, the length of the password, and the size of the password space shall be described in an attachment to the SSP. (4) When an IS cannot prevent a password from being echoed (e.g., in a half-duplex connection), an overprint mask shall be printed before the password is entered to conceal the typed password. (5) User software, including operating system and other security-relevant software, comes with a few standard authenticators (e.g., SYSTEM, TEST, and MASTER) and passwords already enrolled in the system. The ISSO shall ensure that the passwords for all standard authenticators are changed before allowing the general user population access to the IS. The ISSO shall also ensure that these passwords are changed after a new system version is installed or after other action is taken that might result in the restoration of these standard passwords. Maintenance Cleared Have all maintenance personal been cleared to the Maintenance highest classification level on the system and Personnel been indoctrinated for all information processed on the system? When possible, will an appropriately cleared and technically knowledgeable, facility employee be present within the area where the maintenance is being performed to ensure that security procedures are being followed? Uncleared (or Are the following procedures followed when allowing Lower-Cleared) access to the system by uncleared or lower-cleared Maintenance maintenance personnel? Personnel (1) an appropriately cleared and technically qualified escort monitors and records the maintenance person's activities in a maintenance log. Uncleared maintenance personnel must be U.S. citizens. (2) System initiation and termination shall be performed Page 2

3.103c.

8.303c.

3.103d. 3.103e. 3.103f.

8.303d. 8.303e. 8.303f.

3.103g. 3.103h.

8.303g. 8.303h.

3.103i.

8.303i.

3.104. 3.104a.

8.304. 8.304a.

3.104b.

8.304b.

Sheet1 by the escort. In addition, keystroke monitoring shall be performed during access to the system (3) Prior to maintenance, the IS shall be completely cleared and all non-volatile data storage media shall be removed or physically disconnected and secured. When a system cannot be cleared procedures, which are identified in the SSP, shall be enforced to deny the maintenance personnel visual and electronic access to any classified data contained on the system. 3.105. 8.305. Malicious Code Have policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software, been implemented? Are all files checked for viruses before being introduced on the IS and checked for other malicious code as feasible? Is the use of personal or public domain software strongly discouraged? Each installation of such software must be approved by the ISSM. 3.106. 3.106a. 8.306. 8.306a. Marking Hardware , Output, and Media Hardware Do all components of the IS, including input/output Components devices that have the potential for retaining information, terminals, stand-alone microprocessors, or word processors used as terminals, bear a conspicuous, external label that states the highest classification level and most restrictive classification category of the information accessible to the component in the IS? (If the CSA requires that labels be color coded to indicate classification level they shall be orange for Top Secret, red for Secret, blue for Confidential, and green for unclassified.) Hard Copy Output Have methods been established for hard copy output and Removable (paper, fiche, film, and other printed media) and Media removable media to be marked with visible, human-readable, external markings to the accreditation level of the IS unless an appropriate classification review has been conducted or in the case of media, the information has been generated by a tested program verified to produce consistent results and approved by the CSA. Such programs will be tested on a statistical basis to ensure continuing performance. Unclassified Is all unclassified media in the CSA-approved areas Media marked as unclassified? Personnel Security For all personnel with system access, are system security policies; and maintaining and monitoring the confidentiality, integrity, and availability attributes that are inherent within their IS. Duties, responsibilities, privileges, and specific limitations of IS users, both general and privileged, been specified in writing? Are security duties distributed to preclude any one individual from adversely affecting operations or the integrity of the system? 3.108. 3.108a. 8.308. 8.308a. Physical Security Safeguards Have safeguards been established that prevent or detect unauthorized access to the IS and unauthorized modification of the IS hardware and software? Hardware integrity of the IS, including remote equipment, shall be maintained at all times, even when all classified information has been removed from the IS. All classified processing takes place in a CSA-Approved area. Are all devices that display or output information in human-readable form positioned to prevent unauthorized individuals from reading the information? Do all personnel granted unescorted access to the area containing the IS have an appropriate security clearance? Has/Will media be protected to the level of accreditation until an appropriate classification review has been conducted. 3.110. 3.110a. 8.310. 8.310a. Review of Output and Media Human readable An appropriate sensitivity and classification review shall output review be performed on human-readable output before the output is released outside the security boundary to determine whether it is accurately marked with the appropriate classification and applicable associated security markings. Media Review Electronic output, such as files, to be released outside Page 3

3.106b.

8.306b.

3.106c. 3.107.

8.306c. 8.307.

3.108b. 3.108c. 3.108d. 3.109.

8.308b. 8.308c. 8.308d. 8.309.

Classified Processing Visual Access Unescorted Access Protection of Media

3.110b.

8.310b.

Sheet1 the security boundary shall be verified by a comprehensive review (in human-readable form) of all data on the media including embedded text (e.g., headers and footer) before being released. Information on media that is not in human-readable form (e.g., embedded graphs, sound, video, etc.) will be examined for content using the appropriate software application. CSA-approved random or representative sampling techniques may be used to verify the proper marking of large volumes of output. 3.111. 3.111a. 8.311. 8.311a. Configuration Management Configuration Documentation Have processes been implemented to identify and document the type, model and brand of system or network component (e.g., workstation, personal computer, or router), security-relevant software product names and version or release numbers, and physical location? Have procedures been implemented to identify and document system connectivity, including any software used for wireless communication, and any communications media? Is the sensitivity level of each connection or port controlled by the Security Support Structure (SSS) documented? Has the facility CM program been documented in a CM plan that includes the following? (1) Formal change control procedures to ensure the review and approval of security-relevant hardware and software. (2) Procedures for management of all documentation, such as the SSP and security test plans, used to ensure system security. (3) Workable processes to implement, periodically test, and verify the CM plan. (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

3.111b.

8.311b.

System Connectivity Connection Sensitivity CM Plan

3.111c. 3.111d.

8.311c. 8.311d.

Section4.ProtectionMeasures
4.100. 4.101. 4.101a. 8.400. 8.401. 8.401a. Protection Profiles (intro) Level of Concern Information Sensitivity Matrices

Have the information sensitivity matrices (tables 1, 2, and 3 in Section 4 of the NISPOM Chapter 8) been used to establish the appropriate protection levels for confidentiality, and the level of concern for integrity, and availability? (if contractually mandated)

4.101b.

8.401b.

(1) Has a determination of high, medium, or basic been made for each of the three attributes: confidentiality, integrity, and availability? It is not necessary for the level of concern to be the same for all attributes of the system. (2) Has the highest level of concern for each category been used when multiple applications on a system result in different levels of concern for the categories of confidentiality, integrity, and availability? Confidentiality What is the established Confidentiality Level of Level of Concern Concern? In considering confidentiality, the principal question is the necessity for supporting the classification levels and the categories of information (e.g., Secret National Security Information) on the system in question. The Protection Level Table for Confidentiality (Table 4) combines the processing environment with the level of concern for confidentiality to provide a Protection Level. The Protection Level is then applied to Table 5 to provide a set of graded requirements to protect the confidentiality of the information on the system. Integrity What is the established Integrity Level of Level of Concern Concern? In considering integrity, the principal question is the necessity for maintaining the integrity of the information on the system in question.

________________

4.101c.

8.401c.

________________

4.101d.

8.401d.

Availability What is the established Availability Level of Level of Concern Concern? In considering availability, the principal consideration is the need for the information on the system in question to be available in a fixed time frame to accomplish a mission. Page 4

________________

Sheet1 4.102. 8.402. Protection Level (Determined by the relationship between two parameters: first, the clearance levels, formal access approvals, and need-to-know of users; and second, the level of concern based on the classification of the data on a particular system.) 4.102a. 8.402a. Protection Level 1 Do all users have all required approvals for access to all information on the system? (all users must have all required clearances, formal access approvals, and the need-to-know for all information on the IS, i.e. dedicated mode.) Do all users have all required clearances, and all required formal access approvals,but at least one user lacks the need-to-know for some of the information on the system? (i.e. a system high mode.) Do all users have all required clearances, but at least one user lacks formal access approval for some of the information on the system?(i.e. compartmented mode.) What is the established Protection Level for the system? (based on the criteria above) ________________ Is this ok as is? The tables listed in section 8-403 of the NISPOM chapter 8 represent Protection Profiles. Use these tables to assist in determining the Level of Concern and Protection Level of each system.

4.102b.

8.402b.

Protection Level 2

4.102c.

8.402c.

Protection Level 3 Appropriate Protection Level Protection Profiles

4.102. 4.103.

8.402. 8.403.

Section5.SpecialCategories
5.100. 5.101. 8.500. 8.501. Overview Single-User, Stand-alone

Is the system a single-user, stand-alone system? Has the CSA approved administrative and environmental protection measures for the system in lieu of technical ones? What are the specific administrative/environmental measures that have been specified? (or where are they defined) (Systems that have one user at a time, are sanitized between users and periods of different classification/sensitivity, are periods processing systems as covered below) 5.102. 5.102a. 8.502. 8.502a. Periods Processing Periods Processing Will the system be used for Periods Processing? (Periods processing provides the capability to either have more than one user or group of users (sequentially) on a single-user IS who do not have the same need-to-know or who are authorized to access different levels of information; or use an IS at more than one protection level (sequentially).) What specific sanitization procedures will be employed by each user before and after each use of the system? What procedures for sanitization of all information before transitioning from one period to the next (e.g., whenever there will be a new user(s) who does not have an access authorization or need-to-know for data processed during the previous period, changing from one protection level to another) have been established? Is there separate media for each period of processing? Including copies of operating systems, utilities, and applications software? If there are multiple users of the system and the system is not capable of automated logging, has the CSA required manual logging? (Audit trails are not required for single-user stand-alone systems) Specialized systems acting as pure servers in a network that do not fit the protection level criteria may need fewer technical security countermeasures. Are the following statements true of the system? (ALL must be true) (1) No user code is present on the system. (2) Only system administrators and maintainers can access the system. (3) The system provides non-interactive services to clients (e.g., packet routing or messaging services). (4) The hardware and/or application providing network Page 5

5.102b. 5.102c.

8.502b. 8.502c.

Sanitization after use. Sanitization Between Periods

5.102d 5.102e.

8.502d. 8.502e.

Media For Each Period Audit

5.103. 5.103a.

8.503. 8.503a.

Pure Servers Specialized Systems

Sheet1 services otherwise meet the security requirements of the network. (5) The risk of attack against the Security Support Structure (SSS) using network communication paths is sufficiently low. (6) The risk of attack against the SSS using physical access to the system itself is sufficiently low. The Does the system meet PL-3 security Platform requirements? (minimum) Are all users who use the guard/server application limited to specific capabilities? Does the guard application/server provide more stringent technical protections appropriate for the systems protection level and operational environment? Are assurances appropriate to the level of concern for the system implemented? Understanding Is it understood that a system with general users or what is NOT that executes general user code are NOT pure a Pure Server servers? (and must therefore meet all security requirements specified for their protection level and operational environment) The Is it understood that a system may be considered Term Pure a pure server even though it may not resemble Server what has been traditionally refered to as a server? (i.e. a messaging system on a general purpose computer platform could be accredited under this section if it meets the requirements in 8.503b (above)) Understanding Is it understood that the above mentioned technical that these security requirements that have been eased do not exceptions do imply any relaxation in other security requirements? not imply (i.e. physical and communications requirements) relaxation of Is it also understood that this easing of technical other security requirements is predicated upon adequate application requirements of physical security and other appropriate security disciplines? Tactical, Has the CSA determined that this system is sufficiently Embedded, incapable of alteration, and that the application(s) Data-Acquisition, running on the system provide an adequate level of and Specialsecurity? (If so, the system does not have to meet Purpose additional security requirements specified for Systems more-general-purpose systems in this section) Systems with Provided that the systems includes an acceptable level Group of individual accountability, shall group authenticators Authenticators be used for broader access after the use of a unique authenticator for initial authentication and will this be documented in the SSP? (Group authenticators may not be shared with anyone outside the group)

5.103b.

8.503b.

5.103c.

8.503c.

5.103d.

8.503d.

5.103e.

8.503e.

5.104.

8.504.

5.105.

8.505.

Section6.ProtectionRequirements
6.100. 6.101. 6.101a. 8.600. 8.601. 8.601a. Introduction Alternate Power Source (Power) Power 1 Requirements

6.101b.

8.601b.

Power 2 Requirements

6.102. 6.102a. 6.102a1.

8.602. 8.602a. 8.602a1.

Audit Capability Audit 1 Requirements

Have the power requirements for each of the systems been determined? (None, Power 1 or Power 2) Have procedures to gracefully shutdown systems without the loss of data been developed and tested? Have all the systems been attached to an alternate power source, such as an un-interruptible power supply (UPS)? If not has this decision been documented? Have the time requirements to transfer the system to another power source for the hosted applications been documented? Have procedures to transfer systems to another power source within the required time been developed and tested? Have the audit requirements for each of the systems been determined? (Audit 1, Audit2, Audit3 or Audit 4)

6.102a2. 6.102a3.

8.602a2. 8.602a3.

6.102a4. 6.102b. 6.102b1. 6.102c. 6.102c1. 6.102d.

8.602a4. 8.602b. 8.602b1. 8.602c. 8.602c1. 8.602d.

Has the system been configured to create and maintain an Automated Audit audit trail or log that includes the information located in Section Trail Creation 8.602.1a-1f of NIPSOM Chapter 8? If the system is PL-1 and is unable to create an maintain an audit trail, have procedures been developed and documented to provide an alternate method of accountability for user activities? Audit Trail Have the contents of the audit trails been protected against Protection unauthorized access, modification, or deletion? Audit Trail Is analysis of the audit trail performed at least weekly? Are Analysis relevant events from that analysis documented and reported? Is the frequency of audit trail analysis documented in the System Security Plan (SSP)? Audit Record Are audit records retained for at least on review cycle or as Retention required by the CSA? Audit 2 Requirements Is the system in compliance with the audit 1 requirements? Individual Is periodic testing of individual accountability mechanisms Accountability conducted by the ISSO or ISSM? Audit 3 Requirements Is the system in compliance with the audit 2 requirements? Automated Audit Is audit analysis and reporting scheduled and performed by Analysis automated tools? Audit 4 Requirements Is the system in compliance with the audit 3 requirements?

Page 6

Sheet1 6.102d1. 6.103. 6.103a. 8.602d1. 8.603. 8.603a. Backup and Restoration of Data (Backup) Backup 1 Requirements Does the audit trail record changes to the mechanism's list of user formal access permission? Have the backup and recovery requirements for each of the systems been determined? (backup 1, backup 2, backup 3)

6.103a1. 6.103a2. 6.103b. 6.103b1. 6.103b2. 6.103c. 6.103c1. 6.104. 6.104a.

8.603a1. 8.603a2. 8.603b. 8.603b1. 8.603b2. 8.603c. 8.603c1. 8.604. 8.604a.

6.104a1. 6.104b.

8.604a1. 8.604b.

6.104b1. 6.105.

8.604b1. 8.605.

Have procedures for the regular backup of all essential and security-relevant information, including software tables and Backup settings, such as router tables, software, and documentation, Procedures been documented? Has the frequency of backups been defined by the ISSM, with the assistance of the GCA, and documented in the backup Backup Frequencyprocedures? Backup 2 Requirements Is the system compliant with backup 1 requirements? Backup Media Is media containing backup files and backup documentation Storage stored at another location? Verification of Backup Procedures Is periodic verification of backup procedures preformed? Backup 3 Requirements Is the system compliant with backup 2 requirements? Information Restoration Is incremental and complete restoration of information from Testing backup media tested on an annual basis? Changes to Data Have the integrity requirements for each of the systems been (Integrity) determined? (none, integrity 1 and integrity 2) Integrity 1 Requirements Have procedures and technical system features been implemented to ensure that changes to the data and IS Change software are executed only by authorized personnel or Procedures processes? Integrity 2 Requirements Is the system compliant with integrity 1 requirements? Is the transaction log, protected from unauthorized changes, available to allow the immediate correction of unauthorized data and IS software changes and the off-line verification of all Transaction Log changes at all times? Data Transmission (Trans) Are one or more protections, defined in section 8.605a1, used whenever classified information is to be transmitted through areas or components where individuals not authorized to have access to the information may have un-escorted physical or uncontrolled electronic access to the information or communications media (e.g., outside the system perimeter)? Have the access requirements for each of the systems been determined? (access 1, access 2, access 3) Is physical access by unauthorized individuals only allowed under the constant supervision of technically qualified, authorized personnel? Is the system compliant with the access 1 requirements? Have discretionary access controls been implemented on the system? Does the discretionary access control policy include administrative procedures to support the policy and its mechanisms? Is the system compliant with the access 2 requirements? Is there a process or mechanism that allows users (or processes acting on their behalf) to determine the formal access approvals granted to another user? Is there a process or mechanism that allows users (or processes acting on their behalf) to determine the sensitivity level of data? Have the I&A requirements for each of the systems been determined? (I&A 1, I&A 2, I&A3, I&A 4 and I&A5) Are there procedures that include provisions for uniquely identifying and authenticating the users?

6.105a. 6.106. 6.106a. 6.106a1. 6.106b. 6.106b1.

8.605a. 8.606. 8.606a. 8.606a1. 8.606b. 8.606b1.

Trans 1 Requirements Access Controls (Access) Access 1 Requirements Physical Access Access 2 Requirements Discretionary Access Controls

6.106c. 6.106c1. 6.106c2. 6.107. 6.107a. 6.107b. 6.107b1.

8.606c. 8.606c1. 8.606c2. 8.607. 8.607a. 8.607b. 8.607b1.

Access 3 Requirements

Identification and Authentication (I&A) I&A 1 Requirements I&A 2 Requirements

6.107c.

8.607c.

6.107c1.

8.607c1.

Is the system compliant with the I&A 1 requirements? Is there a management mechanism that ensures a unique identifier for each user and that associates that identifier with Unique Identifiers all auditable actions taken by the user? Are the requirements for authenticators defined in section Authenticators 8.607.b1 documented in the SSP? I&A 3 Requirements Is the system compliant with the I&A 2 requirements? Is access to the IS by privileged users who either reside outside of the IS's perimeter or whose communications traverse data links that are outside the IS's perimeter required to use strong authentication ( i.e., an I&A technique that is resistant to replay attack)?

Page 7

Sheet1 If the means of authentication is user-specified passwords, does the ISSM employ (with the approval of the CSA) automated tools to validate that the passwords are sufficiently strong to resist cracking and other attacks intended to discover the user's password? If users are remotely accessing the IS, Is a strong authentication mechanism required.

6.107d. 6.107e. 6.108. 6.108. 6.109. 6.109a.

8.607d. 8.607e. 8.608. 8.608. 8.609. 8.609a.

I&A 4 Requirements I&A 5 Requirements

Resource Control Have the ResrcCtrl requirements for each system been (ResrcCtrl) determined? (None or ResrcCtrl 1) Has a process been developed and tested to ensure the system contains no residual data before being assigned, ResrcCtrl 1 allocated, or reallocated. Session Controls Have the SessCtrl requirements for each system been (SessCtrl) determined? (SessCtrl 1 or SessCtrl 2) SessCtrl 1 Requirements Are all users notified prior to gaining access to a system that system usage is monitored, recorded, and subject to audit, and that by using the system, he/she has granted consent to such monitoring and recording, and that unauthorized use is User Notification prohibited and subject to criminal and civil penalties? Does each initial screen (displayed before the user log on) contain a warning text, provided and approved by the CSA, to the user and that requires positive action by the user to remove the notice from the screen. If it is not possible to provide an initial screen warning notice, is an other method of notification developed and approved by the CSA used? Successive Are successive logon attempts controlled as specified in Logon Attempts section 8.609a2 ? Does the system grant entry only in accordance with the System Entry conditions associated with the authenticated users profile? If no explicit entry conditions are defined, is the default to prohibit all remote activities, such as remote logons and anonymous file access? SessCtrl 2 Requirements Is the system compliant with the SessCtrl 1 requirements? If the IS supports multiple logon sessions for each user ID or account, does the IS provide a protected capability to control Multiple Login the number of logon sessions for each user ID, account, or specific port of entry? Control Does the IS default to a single logon session? Does the IS detect an interval of user inactivity, such as no keyboard entries, and disable any future user activity until the user re-establishes the correct identity with a valid User Inactivity authenticator? Is the inactivity time period and restart requirements documented in the SSP? Is the user notified upon successful logon of: the date and time of the users last logon; the location of the user at last logon; and the number of unsuccessful logon attempts using this user Logon Notification ID since the last successful logon? Does this notice require positive action by the user to remove it from the screen? Security Documentation (Doc) Doc 1 Requirements SSP Does the SSP contain the name, location, and phone number of the responsible system owner, CSA, ISSM, and ISSO? Does the SSP contain a brief narrative description of the system or network mission or purpose and architecture, including subnetworks, communications devices, and protocols? Does the SSP contain the sensitivity or classification levels, and categories of all information on the system and clearance, formal access approval and need-to-know of IS users? Does the SSP contain The confidentiality level of concern and protection level, the integrity level of concern, and the availability level of concern? Does the SSP Identify protection measures and how they are being met? Does the SSP contain a description of any approved variances from protection measures? Is a copy of the approval documentation shall be attached to the SSP? Does the SSP contain a description of the risk assessment of any threats or vulnerabilities unique to the system. If there are no threats or vulnerabilities unique to the facility or system, Is there a statement to that effect included in the SSP? If any vulnerabilities are identified by the assessment of unique threats, are the countermeasures implemented to mitigate the vulnerabilities described? Does the SSP contain a brief description of the system architecture, including a block diagram of the components that show the interconnections between the components and any connections to other systems, and an information flow diagram.

6.109a1.

8.609a1.

6.109a2. 6.109a3.

8.609a2. 8.609a3.

6.109b.

8.609b.

6.109b1.

8.609b1.

6.109b2.

8.609b2.

6.109b3.

8.609b3.

6.110. 6.110a. 6.110a1.

8.610. 8.610a. 8.610a1.

Page 8

Sheet1 If connections to other systems exist, a memorandum of understanding is necessary if the systems are approved by a person other than the CSA responsible for this system. Does the SSP contain a copy of any memorandum of understanding with other agencies? Does the SSP contain a brief description of the security support structure including all controlled interfaces, their interconnection criteria, and security requirements? Does the SSP contain Test plans, procedures, and test reports including risk assessment? Does the SSP contain The test plan for ongoing testing and the frequency of such testing? Does the SSP contain a certification statement that the system complies with the requirements of the protection level and levels of concern for this system? Is the statement signed by the ISSM? Does the SSP contain the documentation for accreditation including the certification package? Did the CSA approve the package and provide accreditation documentation? If the system is Protection Level 3, are the functions of ISSO and system manager performed by separate people? Are Procedures and IS features implemented to ensure that IS recovery is done in a controlled manner. Have the SysAssur requirements for each system been determined? (SysAssur1, SysAssur 2 or SysAssur 3)

6.111. 6.112. 6.112a. 6.113. 6.113a. 6.113a1. 6.113b. 6.113b1. 6.113b2. 6.113c. 6.113c1. 6.114.

8.611. 8.612. 8.612a. 8.613. 8.613a. 8.613a1. 8.613b. 8.613b1. 8.613b2. 8.613c. 8.613c1. 8.614.

Separation of Function Requirements (Separation) System Recovery (SR) SR 1 Requirements System Assurance (SysAssur) SysAssur 1 Requirements Access to Protection Functions SysAssur 2 Requirements Protection Documentation Periodic Validation of SysAssur SysAssur 3 Requirements SSS Isolation Security Testing (Test) Test 1 Requirements Test 2 Requirements

Is Access to hardware/software/firmware that perform systems or security functions limited to authorized personnel? Is the system compliant with the SysAssur 2 requirements? Are the protections and provisions of the SysAssur documented? Do features and procedures exist to periodically validate the correct operation of the hardware, firmware, and software elements of the SSS and are documented in the SSP? Is the system compliant with the SysAssur 3 requirements? Does the SSS maintain a domain for its own execution that protects it from external interference and tampering (e.g., by reading or modifying its code and data structures)? Have the test requirements for each system been determined? (Test 1, Test 2 or Test3) Is assurance provided to the CSA that the system operates in accordance with the approved SSP and that the security features, including access controls and configuration management, are implemented and operational? Is the system compliant with the Test 1 requirements? Is written assurance provided to the CSA that the IS operates in accordance with the approved SSP, and that the security features, including access controls, configuration management and discretionary access controls, are implemented and operational? Is the system compliant with the Test 2 requirements? Has Certification testing been conducted, using a test plan including the requirements defined in section 8.614c1, including verification that the features and assurances required for the Protection Level are functional? If disaster recovery planning is contractually mandated, Did the ISSM develop a plan that identifies the facility's mission essential applications and information, procedures for the backup of all essential information and software on a regular basis, and testing procedures?

6.114a. 6.114b.

8.614a. 8.614b.

6.114b1. 6.114c.

8.614b1. 8.614c. Test 3 Requirements

6.114c1.

8.614c1. Disaster Recovery Planning

6.115.

Section7.InterconnectedSystems
Interconnected Systems Management

8.615.

7.100.

8.700.

7.100a. 7.100c.

8.700a. 8.700c.

7.100d.

8.700d.

7.100e.

8.700e.

For two or more connected networks, has the CSA reviewed the security attributes of each network to determine whether the combination of data and/or the combination of users on the connected network requires a higher protection level? Have all interconnected networks been accredited as a single unit? If systems that process information at differing classification levels or with different compartmentalization are interconnected, have they been interconnected in a manner that meets the requirements defined in section 8.700d1 8.700d3? If an IS is connected to another system that does not meet either 8.700d2 or 8.700d3, does the system utilize a Controlled Interface (CI) that meets the requirements defined in section 8.700e1 8.700e3?

Page 9

Sheet1 Controlled Interface Functions Controlled Interface Requirements Does the CI monitor and enforce the protection requirements of the network and adjudicate the differences in security policies? Does the CI base its routing decisions on information that is Routing Decisions supplied or alterable only by the SSS? Restrictive Protection Does the CI support the protection requirements of the most Requirements restrictive of the attached networks or IS? User Code Is user code prohibited from running on the CI? Has The CI been implemented such that all possible failures shall result in no loss of confidentiality or unacceptable Fail-Secure exposure to loss of integrity or availability? Communication Does the CI ensure that communication policies and Limits connections that are not explicitly permitted are prohibited? Only Privileged Do only privileged users, such as systems admins, have Users access to the CI? Has each CI been tested and evaluated to ensure that the CI, Assurances for as implemented, can provide the separation required for the CI's systems protection level? Adjudicated Differences

7.101. 7.102. 7.102a. 7.102b. 7.102c. 7.102d. 7.102e. 7.102f. 7.102g. 7.103.

8.701. 8.702. 8.702a. 8.702b. 8.702c. 8.702d. 8.702e. 8.702f. 8.702g. 8.703.

Page 10